Digital Forensics and Incident Response capabilities, otherwise known as DFIR, are services aimed at explaining and reducing the dynamic loss of information confidentiality, integrity, and availability. In particular, Incident Response personnel will be called upon when there is a violation to an organization’s security policy. For example, an organization may engage their Incident Response team when the following occurs: conflicts in repudiation, unauthorized surveillance activities, harassment, extortion, the trafficking of pornography, organized crime, subversion, and hoaxes .
Issues with repudiation stem from invalid system actions performed on behalf of a subject. For instance, a Cross-Site Request Forgery (CSRF) attack may be considered such an incident because an attacker is sending erroneous web requests on behalf of authorized end-user. Unauthorized surveillance is when unauthorized subjects conduct reconnaissance and enumeration activities in preparation for an attack. Examples of this type of incident includes war driving, “Ping Sweeps,” and system vulnerability scans. Harassment includes cyber-bullying and cyber-stalking, both of which have increased with the uptick in social media use in recent years. Extortion is when a subject black-mails another (an organization for instance) to gain leverage or profit. Companies with a valuable reputation are exposed to this risk when attackers collect unfavorable media and information on them.
Trafficking pornography is the storage, transmission, and retrieval (download) of sexually explicit media. For instance, computer forensic examiners and incident handlers may be tasked with responding to steganography usage, a common technique for child predators. Security incidents involving organized crime center around criminals using computers for drug trafficking, human trafficking, and creating fake credentials (driver’s licenses, identification cards, access badges, etc.). Subversion is when an unanticipated event occurs instead of an expected action. An example is when end-users attempt to authenticate with a fake social media website using their legitimate credentials. They expect to gain network access. Instead, their credentials are stolen. Lastly, hoaxes are fake warnings of malware or Denial of Service (DoS) attacks. For instance, an in Incident Response team may be tasked with validating whether or not an information system was actually infected with a virus, worm, or bot-net software.